Full Report
The Department of Justice also indicted two men tied to the exchange. The post Russian crypto exchange Garantex seized in international law enforcement operation appeared first on CyberScoop.
Analysis Summary
# Incident Report: Seizure of Garantex Cryptocurrency Exchange Infrastructure
## Executive Summary
International law enforcement agencies successfully seized the infrastructure of the Moscow-based cryptocurrency exchange, Garantex, due to its alleged role in laundering billions in criminal proceeds, including funds from ransomware and terrorism financing. The operation resulted in the seizure of key domain names and operational servers, the freezing of over $53 million in assets through cooperation with Tether, and the indictment of two key executives for money laundering conspiracy. Although the exchange suspended services, Russian officials have indicated that blocking the market entirely will be difficult.
## Incident Details
- Discovery Date: Operation culminated with unsealing of documents on Friday (Date not specified, investigation ongoing since at least April 2022).
- Incident Date: Operation culminated on Friday (Date not specified). Alleged illicit activity spanned from April 2019 onwards.
- Affected Organization: Garantex (Cryptocurrency Exchange)
- Sector: Financial Services / Cryptocurrency Exchange
- Geography: Headquarters in Moscow, Russia; Operation involved US, Germany, Finland, Netherlands, Estonia, and Europol authorities.
## Timeline of Events
### Initial Access
- **Date/Time:** Operation culminated; underlying criminal activity spanned from April 2019.
- **Vector:** Exploitation of the platform's anonymity features to facilitate illicit transactions, following initial sanctioning in April 2022.
- **Details:** The exchange processed approximately $96 billion in transactions since 2019, facilitating proceeds from ransomware and terrorism financing.
### Lateral Movement
- **Date/Time:** Continuous, post-initial deposit.
- **Vector:** Technical countermeasures used to evade detection.
- **Details:** Allegedly, technical administrator Aleksej Besciokov moved operational cryptocurrency wallets to different addresses daily to complicate detection by U.S.-based exchanges despite OFAC sanctions.
### Data Exfiltration/Impact
- **Date/Time:** Ongoing until infrastructure seizure/asset freezes.
- **Vector:** Processing of criminal proceeds amounting to hundreds of millions from illicit enterprises.
- **Details:** Facilitated laundering flows tied to ransomware, terrorism financing, and Lazarus Group laundering of over $30 million from the Horizon Bridge theft. Confiscated assets include customer and accounting databases.
### Detection & Response
- **Date/Time:** OFAC Sanctioned Garantex in April 2022. Operation culminated with seizures unsealed on Friday.
- **Response Actions:** International law enforcement seizure of three key domain names (Garantex.org, Garantex.io, Garantex.academy), confiscation of operational servers, freezing of $26M in US-controlled funds, and cooperation with Tether to freeze an additional $27M. Two executives indicted.
## Attack Methodology
- **Initial Access:** Funds deposited onto the platform by criminals across various illicit sources (ransomware, dark web, terrorism financing).
- **Persistence:** Executives deliberately maintained operational access and provided incomplete information to Russian law enforcement when questioned about suspicious accounts, despite prior sanctions.
- **Privilege Escalation:** N/A (This was an organized crime/money laundering operation, not a typical network intrusion).
- **Defense Evasion:** Implementing technical countermeasures, specifically rotating wallet addresses daily post-sanctions to bypass monitoring by US-based exchanges.
- **Credential Access:** N/A
- **Discovery:** Blockchain analytics, specifically Elliptic, traced $30M laundered by Lazarus Group.
- **Lateral Movement:** N/A (Movement was within the ledger system via wallet rotation, not internal network movement).
- **Collection:** Obtaining copies of customer and accounting databases during server seizure.
- **Exfiltration:** Laundered billions in cryptocurrency proceeds out of the platform.
- **Impact:** Facilitation of large-scale criminal financial flows and sanctions evasion.
## Impact Assessment
- **Financial:** Over $96 billion in transactions processed since 2019; combined external parties (US Govt and Tether) froze approximately $53 million allegedly linked to illicit activities.
- **Data Breach:** Copies of customer and accounting databases were obtained by authorities.
- **Operational:** Garantex suspended all services, including withdrawals, upon infrastructure seizure and asset freezes.
- **Reputational:** Significant blow to the perceived legitimacy of the exchange; implicated in financing terrorism and ransomware.
## Indicators of Compromise
- **Network indicators (Defanged):** [Garantex.org, Garantex.io, Garantex.academy] (Domain seizures)
- **File indicators:** Seized server images containing customer/accounting databases.
- **Behavioral indicators:** Daily rotation of operational cryptocurrency wallet addresses post-April 2022 sanctions to evade US monitoring.
## Response Actions
- **Containment measures:** Seizure of three primary domain names by US authorities; Confiscation of servers housing exchange operations by German and Finnish authorities.
- **Eradication steps:** Freezing of $26 million in funds by US authorities and $27 million held by Tether linked to Garantex wallets.
- **Recovery actions:** Indictment of executives Aleksej Besciokov and Aleksandr Mira Serda. EU added Garantex to its sanctions list (Feb 26).
## Lessons Learned
- **Key takeaways:** International, multi-agency coordination is effective in dismantling centralized nodes of illicit finance, even those operating under sanctions and attempting evasion. Financial tracking firms (e.g., Elliptic) play a crucial role in attribution and investigation.
- **What could have been done better:** Earlier, more aggressive cooperation between international regulators *before* the exchange was mandated by OFAC, although sustained investigation proved successful.
## Recommendations
- **Prevention measures for similar incidents:** Implement mandatory, real-time blockchain transaction monitoring for sanctioned entities across international exchange clearinghouses. Enhance coordination between cryptocurrency analysis firms and global law enforcement for rapid asset freezing. Continue applying sanctions against technical administrators and corporate officers directly involved in evasion schemes.